We currently don't allow Skype usage on the LAN. The reasons ultimately come down to that great cover-all of "security", though I have to admit that these days I'm not sure if Skype has turned into a better product when talking about a business environment or not?

I know it used to be considered totally evasive of firewalls. I know it used to be considered a risk because of the P2P nature and the potential for exploits/file transfers and so on.

How do things stand now?

If I could get "something" that sat in our DMZ that internal Skype clients could connect to and the DMZ box dealt with actual inbound/outbound internet connectivity I'd be very interested, but such a product doesn't seem to exist?

I should add, bandwidth isn't the issue as we have lot. My main query is about the security of skype/risk to our LAN.
–
HutchNov 20 '10 at 20:06

Skype will use all the bandwidth it can - I've read reports of university with several Gig links to the Internet having problems with Skype users. Bandwidth is (imo) an issue as its a possible security problem, from the perspective of a denial of service against other users on the network.
–
RobMNov 20 '10 at 21:09

4

Skype does not pose any direct security risk in the traditional sense, but it may pose a risk to your security policy. That is, Skype allows for communication with the outside world that cannot be directly monitored by the IT department. Some companies require all communication to be monitored and/or recorded, which Skype prevents.
–
tylerlNov 21 '10 at 2:24

6 Answers
6

Every business is different, so I doubt there's a single "right answer" here. Here are a couple of things to consider:

If your business is subject to strict regulatory regimes (such as HIPAA or SOX), a communications and conferencing solution that can be logged and audited (such as MS's Communications Server, which I guess is now called Lync) might be more suitable.

If your business deals with highly sensitiveinformation, possible security vulnerabilities obviously become more salient. If you go to the Skype website and look at their page about firewalls, you'll see that you don't need to "open everything" as some have suggested -- but you do have to open a couple of ports, and Skype would prefer to have all outbound TCP ports open (although this is not required). Only you and your coworkers can say what constitutes an "acceptable risk" for your business.

If you have large numbers of users needing chat or video conferencing (or if you're bandwidth-constrained), Skype could easily cause network problems. Conversely, if it's just a handful of folks needing this capacity, Skype provides a free alternative to costly server-based enterprise software.

Finally, it's important to remember that no business software is "free" -- and consumer-targeted software that cannot be easily patched, upgraded, configured and otherwise managed with tools like SSCM or Group Policy can be quite "expensive" in terms of support.

As regards your question about "something in the DMZ" -- this would be a proxy server, no? It is my understanding that Skype can be configured to use a proxy. In the current version, those settings can be found at Tools > Options > Advanced Settings > Connections

There might be a risk associated with it, even if only to our bandwidth if a few skype users become supernodes.

As there's no business case for it, we're not going to take the time needed to research it any further, and our network security policy is to close off everything by default and open up when we see a need for it.

I'm not convinced one way or the other by any arguments that it's inherently a security risk, and they do now seem more professional in their approach to this issue than they were orginally.

I'm sure Skype has its problems like every bit of software out there, and I'm sure that plenty of people are using it securely enough despite those problems. Again, like almost every other bit of software out there. I know its a boring answer but everything has a risk attaches to it and the question is whether the gain outweighs that risk.

You can, tylerl (and if you followed the link I gave that details how, too), but firstly that's not easy to do in, for example, an educational environment when you don't own the students' machines; and secondly that's still work that you don't need to do.
–
RobMNov 21 '10 at 9:13

Interesting that simply being behind a NAT firewall disables supernode status. Skype will happily work with only ports 80/443 allowed out so opening a raft of additional ports isn't a concern.
–
HutchNov 21 '10 at 10:14

In my workplace we use Skype for conferencing from time to time and works quite fine, but I work in a small business so:

We don't have the budget of bigger companies so free programs are very useful in some situations (in our case we only do conferencing sporadically).

We have open access to Internet, since until now nobody have been so stupid of using bittorrent or similar P2P to clog the network (that is easy to spot since we don't have the bandwidth of big companies).

Skype is an excellent solution for small businesses, especially if you have a lot of international business or global satellite offices.

Free from PC to PC

Excellent plans for skype credit

PBX integration (including if you have an existing PBX)

If configured correctly, you can lockdown skype as needed. @Robert Moir is not entirely accurate. You can avoid the supernodes in an AD enviornment (DisableSupernodePolicy). Read the network admin manual.

If you have multiple data lines you can route skype taffic via a decicated line avoiding latency on network for other applications. You can even bandwidth trottle skype traffic if you force it to use UPD and not the http or https.

When making decisions on these type of technologies don just look at functionalities, take into consideration productivity gains, in may case, teams are able to have a better long-distance conversation using video...this is important for productivity.

At the end of the day it's not perfect, but which app is? It's just another which can work if you implement it correctly.

I wouldn't recommend Skype on a secure LAN. It requires a mostly open firewall configuration. All ephemeral ports, and few others need to be open. Incoming traffic needs to be allowed to the PC running Skype.

If required, I would setup a separate LAN segment with uPNP (PMP) enabled. I did go through the exercise of figuring out what I needed to do when my wife was traveling. See my blog entry on firewalling Google-Chat and Skype.

I just don't think that's true. Our current firewall only allows outbound ports 80/443 for "normal users" and Skype will happily work - I think it just adapts to whatever is available.
–
HutchNov 21 '10 at 10:15

This may work for outgoing calls. Skype lit up my firewall like a Christmas tree with outgoing and incoming probes. I normally don't allow outgoing connections unless I know the port (ephemerals included). Skype makes heavy used of the ephemeral ports.
–
BillThor Nov 22 '10 at 19:19

However, to limit the impact on those nodes, Skype throttles bandwidth usage, so the quality of your call will suffer regardless of the amount of bandwidth that is available to your network.

A solution to this would be to force all your Skype traffic via a SOCKS or HTTPS proxy that have a dedicated native NAT translation (ie it doesn't use PAT), but here's the thing: Skype will only use the proxy if there is no other route to the Internet, so even if you configure your Skype client to use a Proxy, it will ignore it! (WAT?)

There are ways and means around this by editing registry files and distributing XML files to Mac OS etc, but in a large organisation, this isn't practical.